MITRE CVE Contract Extended Just Before Expiration

The Common Vulnerabilities and Exposures (CVE) Program is one of the most central programs in cybersecurity, so news that MITRE’s contract to run the program was expiring sent shock waves through the cybersecurity community.

But fears for the future of the globally recognized program underpinning vulnerability management were assuaged when CISA announced today that it was extending the MITRE CVE contract. The extension apparently is for 11 months, sources told The Cyber Express.

In a statement today to The Cyber Express, a spokesperson for the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said:

“The CVE Program is invaluable to cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”

It’s not clear what the long-term future of the CVE program will be – CISA had floated the idea of bringing it in-house despite its own budget and staffing cuts – but at least for now, the program will continue as is.

MITRE CVE Contract Raises Cybersecurity Concerns

The panic started on April 15 with a news of a letter to the CVE Board from Yosry Barsoum, Vice President and Director of MITRE’s Center for Securing the Homeland, warning of the contract’s imminent expiration.

“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.” (image below)

MITRE released this statement in response to media inquiries:

“On Wednesday, April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE) Program and related programs, such as the Common Weakness Enumeration (CWE) Program, will expire. The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource.”

MITRE noted how valuable the program is to a wide range of cybersecurity services:

“The CVE Program anchors a growing cybersecurity vendor market worth more than $37 billion, providing foundational data to vendor products across vulnerability management, cyber threat intelligence, security information and event management, and endpoint detection and response.”

MITRE said historical CVE records will be available on GitHub at https://github.com/CVEProject, and also directed those seeking more information to visit the official CVE.org website.

However, today MITRE said “there is movement on the contract this morning to extend service to CVE,” but MITRE did not have information on the details.

Easterly: Serious Implications for Business Risk

In an April 15 post on LinkedIn, former CISA Director Jen Easterly said news of the MITRE contract expiration was “rightly raising alarms across the cybersecurity community. While this may sound like a technical issue, it has SERIOUS implications for business risk, operational resilience, and national security.”

“The CVE system may not make headlines, but it is one of the most important pillars of modern cybersecurity,”

Any disruption would also come amid an enduring backlog in processing CVEs in the National Vulnerability Database (NVD) at the National Institute of Standards and Technology (NIST). With more than 40,000 new vulnerabilities discovered last year, NIST continues to struggle with the volume of new vulnerabilities.

Related